Surrogate IP Issue


(Keith) #1

In this case, the customer is using a custom app that uses Google maps to display their building locations etc. It seems that all of the data is pulled by googleapis.com on http and not https. Traffic goes out of the PC via GRE to Zscaler. The app in use requires IP surrogacy to work. The IP is set to expire at 8 hours, then it breaks. It is not until they do some browsing via https that ip.zscaler.com shows them as logged in again and then the app starts working again. Enabling xff did not help. Currently, they are not doing TLS interception

Notes Regarding IP surrogacy:
Requirements
• To use this feature, your organization must use one of the following methods to forward traffic to the service:
○ A GRE or IPsec tunnel without NAT (met)
○ Forward proxy chaining with the XFF Forwarding option enabled on the location (enabled temporarily, did not cause surrogacy to kick in)
○ Your organization subscribes to a dedicated proxy port (cannot check as zadmin is down)
• The location must have authentication enabled. (met)

So, what can we do to make this work without a user visiting a https site or something to kick off authentication and getting the surrogate IP assigned? These are kiosks and they are only ever browsed by the app and only goes to the limited sites built into that. They also mentioned the computers reboot everynight. Could we run an automated task or maybe a powershell script to get that IP going again?
Thanks!


(Keith) #2

There is no dedicated proxy port…


(Scott Bullock) #3

I’d suggest these computers use our Auth Bypass service port of port 9480,
or, bypass the googleapis.com domain from Auth in the AdminUI -> Admin ->
Advanced setting.